US Government websites set to help people gain access to information about AIDS have been leaking the data about its users. Anyone visiting AIDS.gov and making use of the search box will probably be concerned to learn that, until the end of last month, data was transmitted in unencrypted form. The Washington Post points out that this data could be very easily intercepted and used to identify an individual.
We know that web users are more concerned about privacy than ever before -- and little wonder when authorities say that privacy is not a right. We know that there are various ways in which web activity can be monitored, but it seems that the smartphone app associated with AIDS.gov included this feature as standard -- the app collected and transmitted the latitude and longitude of users, again unencrypted.
Following questions from the Washington Post, Miguel Gomez, director of AIDS.gov, said: "We started requiring SSL for the [services] Locator because we understood that information should be encrypted to protect privacy". The Post points out that while encryption has been available "for those who knew how to activate it" since 2013, unencrypted data about people looking for healthcare information has been transmitted since 2010.
AIDS.gov is not the only site which has a history of poor security. Another unnamed site which provides help with locating HIV testing centers, only started to encrypt user data this week.
The lack of encryption was discovered by security researcher Steve Roosa, who was surprised to learn that a government-run service dealing with sensitive health information handled data so poorly. He found that widgets on the pages - such as Facebook, Twitter and other social elements - could create cookies that snoopers could easily intercept and use to identify individuals. This would be concerning for any website or app, but when dealing with AIDS and HIV which still - sadly - have great stigma attached to them, security is all the more important.
Peter Eckersley from privacy advocates Electronic Frontier Foundation said: "We should be exasperated at the lack of security competence of so many branches of our government, when clearly that government does employ a lot of people who understand exactly how cyber-security works and how to break it".